+++ /dev/null
-[submodule "ric-infra/10-Nexus/docker/nexus-repository-helm"]
- path = ric-infra/10-Nexus/docker/nexus-repository-helm
- url = https://github.com/sonatype-nexus-community/nexus-repository-helm.git
# install low latency kernel, docker.io, and kubernetes
apt-get update
-apt-get install -y linux-image-4.15.0-45-lowlatency curl jq netcat docker.io=${DOCKERVERSION}
+apt-get install -y virt-what
+if ! echo $(virt-what) | grep "virtualbox"; then
+ # this version of low latency kernel causes virtualbox VM to hand.
+ # install if identifying the VM not being a virtualbox VM.
+ apt-get install -y linux-image-4.15.0-45-lowlatency
+fi
+apt-get install -y curl jq netcat docker.io=${DOCKERVERSION}
apt-get install -y kubernetes-cni=${CNIVERSION}
apt-get install -y --allow-unauthenticated kubeadm=${KUBEVERSION} kubelet=${KUBEVERSION} kubectl=${KUBEVERSION}
apt-mark hold docker.io kubernetes-cni kubelet kubeadm kubectl
+++ /dev/null
-Subproject commit 6de97765b747008e3016f202ccbe2dba18667b83
--- /dev/null
+# Copyright (c) 2019 AT&T Intellectual Property.
+# Copyright (c) 2019 Nokia.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM alpine
+
+MAINTAINER "RIC"
+
+LABEL name="A container with support for creating Kubernetes SSL secrets"
+
+RUN apk update
+
+RUN apk add openssl
+
+# unfortunately not available by itself in apk
+ADD https://storage.googleapis.com/kubernetes-release/release/v1.14.1/bin/linux/amd64/kubectl /bin/kubectl
+RUN chmod +x /bin/kubectl
+
+COPY bin/cert-gen.sh /bin/cert-gen.sh
+COPY bin/svcacct-to-kubeconfig.sh /bin/svcacct-to-kubeconfig.sh
+COPY bin/tls-secrets.sh /tls-secrets.sh
+
+RUN mkdir /pki
+
+CMD /tls-secrets.sh
+
--- /dev/null
+#!/bin/sh
+
+# Copyright (c) 2019 AT&T Intellectual Property.
+# Copyright (c) 2019 Nokia.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dnBase=${CERT_DN:-'/C=US/O=O-RAN Alliance/OU=O-RAN Software Community'}
+keyBits=${KEY_BITS:-4096}
+
+CAHome=${CA_DIR:-'/pki'}
+CADays=${CA_CERT_EXPIRY:-9125}
+CAKey=${CAHome}/${CA_KEY_NAME:-ca.key.pem}
+CACert=${CAHome}/${CA_CERT_NAME:-ca.cert.pem}
+#
+CertHome=${CERT_DIR:-$CAHome}
+#
+TillerDays=${TILLER_CERT_EXPIRY:-3650}
+TillerKey=${CertHome}/${TILLER_KEY_NAME:-tiller.key.pem}
+TillerCert=${CertHome}/${TILLER_CERT_NAME:-tiller.cert.pem}
+TillerCN=${TILLER_CN:-tiller}
+#
+HelmDays=${HELM_CERT_EXPIRY:-3650}
+HelmKey=${CertHome}/${HELM_KEY_NAME:-helm.key.pem}
+HelmCert=${CertHome}/${HELM_CERT_NAME:-helm.cert.pem}
+HelmCN=${HELM_CN:-helm}
+
+# 1. CA
+if [ ! -d ${CAHome} ]; then
+ mkdir -p ${CAHome}
+fi
+if [ ! -f ${CAKey} ]; then
+ openssl genrsa -out ${CAKey} ${keyBits}
+fi
+if [ ! -f ${CACert} ]; then
+ openssl req -new -x509 -extensions v3_ca -sha256 -days ${CADays} \
+ -key ${CAKey} \
+ -out ${CACert} \
+ -subj "${dnBase}"
+fi
+
+# 2. tiller server cert
+if [ ! -f ${TillerKey} ]; then
+ openssl genrsa -out ${TillerKey} ${keyBits}
+fi
+if [ ! -f ${TillerCert} ]; then
+ CSR=`mktemp`
+ openssl req -new -sha256 \
+ -key ${TillerKey} \
+ -out ${CSR} \
+ -subj "${dnBase}/CN=${TillerCN}"
+ openssl x509 -req -CAcreateserial -days ${TillerDays} \
+ -CA ${CACert} \
+ -CAkey ${CAKey} \
+ -in ${CSR} \
+ -out ${TillerCert}
+fi
+
+# 3. helm client cert
+if [ ! -f ${HelmKey} ]; then
+ openssl genrsa -out ${HelmKey} ${keyBits}
+fi
+if [ ! -f ${HelmCert} ]; then
+ CSR=`mktemp`
+ openssl req -new -sha256 \
+ -key ${HelmKey} \
+ -out ${CSR} \
+ -subj "${dnBase}/CN=${HelmCN}"
+ openssl x509 -req -CAcreateserial -days ${HelmDays} \
+ -CA ${CACert} \
+ -CAkey ${CAKey} \
+ -in ${CSR} \
+ -out ${HelmCert}
+fi
--- /dev/null
+#!/bin/sh
+
+# Copyright (c) 2019 AT&T Intellectual Property.
+# Copyright (c) 2019 Nokia.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# generate a kubconfig (at ${KUBECONFIG} file from the automatically-mounted
+# service account token.
+# ENVIRONMENT:
+# SVCACCT_NAME: the name of the service account user. default "default"
+# CLUSTER_NAME: the name of the kubernetes cluster. default "kubernetes"
+# KUBECONFIG: where the generated file will be deposited.
+SVCACCT_TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`
+CLUSTER_CA=`base64 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt|tr -d '\n'`
+
+cat >${KUBECONFIG} <<__EOF__
+ApiVersion: v1
+kind: Config
+users:
+- name: ${SVCACCT_NAME:-default}
+ user:
+ token: ${SVCACCT_TOKEN}
+clusters:
+- cluster:
+ certificate-authority-data: ${CLUSTER_CA}
+ server: https://kubernetes.default.svc.cluster.local/
+ name: ${CLUSTER_NAME:-kubernetes}
+contexts:
+- context:
+ cluster: ${CLUSTER_NAME:-kubernetes}
+ user: ${SVCACCT_NAME:-default}
+ name: svcs-acct-context
+current-context: svcs-acct-context
+__EOF__
--- /dev/null
+#!/bin/sh
+
+# Copyright (c) 2019 AT&T Intellectual Property.
+# Copyright (c) 2019 Nokia.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -x
+
+export ENTITIES=${ENTITIES:-helm tiller}
+export KUBECONFIG=${KUBECONFIG:-/kubeconfig}
+export CA_DIR=${CA_DIR:-/pki}
+if [ ! -z ${TARGET_NAMESPACE} ]; then
+ SECRET_NS="--namespace ${TARGET_NAMESPACE}"
+else
+ SECRET_NS=''
+fi
+
+if [ ! -f ${KUBECONFIG} ]; then
+ export SVCACCT_NAME=${SVCACCT_NAME:-tiller}
+ /bin/svcacct-to-kubeconfig.sh
+fi
+
+if [ ! -f ${CA_DIR}/helm.key.pem -o \
+ ! -f ${CA_DIR}/tiller.key.pem ]; then
+ /bin/cert-gen.sh
+fi
+
+# i'm assuming we can just lose the CA key.
+for entity in ${ENTITIES}; do
+ kubectl create secret generic \
+ --from-file=ca.crt=/pki/ca.cert.pem \
+ --from-file=tls.crt=/pki/${entity}.cert.pem \
+ --from-file=tls.key=/pki/${entity}.key.pem \
+ ${SECRET_NS} ${entity}
+
+ kubectl label secret \
+ ${SECRET_NS} ${entity} \
+ app=helm \
+ name=${entity}
+done
--- /dev/null
+---
+tag: 0.0.1
fi
-
+mkdir /tmp/$CHART_NAME/config/
+mkdir /tmp/$CHART_NAME/descriptors/
cp $CONFIG_JSON_PATH /tmp/$CHART_NAME/config/
cp $DESCRIPTOR_PATH /tmp/$CHART_NAME/descriptors/
{{- $rtmgrrmrservice := .Values.ricplt.rtmgrRMRService | quote -}}
{{- $a1mediatorrmrservice := .Values.ricplt.a1mediatorRMRService | quote -}}
-{{ (.Files.Glob "config/*").AsConfig | replace "__DBAAS_SERVICE__" $dbaasservice | replace "__PLT_INGRESS_URL__" $pltingressurl | replace "__XAPP_INGRESS_URL__" $xappingressurl | replace "__APPMGR_RMR_SERVICE__" $appmgrrmrservice | replace "__E2MGR_RMR_SERVICE__" $e2mgrrmrservice | replace "__E2TERM_RMR_SERVICE__" $e2termrmrservice | replace "__RTMGR_RMR_SERVICE__" $rtmgrrmrservice | replace "__A1MEDIATOR_RMR_SERVICE__" $a1mediatorrmrservice | indent 2 }}
+{{- (.Files.Glob "config/*").AsConfig | replace "__DBAAS_SERVICE__" $dbaasservice | replace "__PLT_INGRESS_URL__" $pltingressurl | replace "__XAPP_INGRESS_URL__" $xappingressurl | replace "__APPMGR_RMR_SERVICE__" $appmgrrmrservice | replace "__E2MGR_RMR_SERVICE__" $e2mgrrmrservice | replace "__E2TERM_RMR_SERVICE__" $e2termrmrservice | replace "__RTMGR_RMR_SERVICE__" $rtmgrrmrservice | replace "__A1MEDIATOR_RMR_SERVICE__" $a1mediatorrmrservice | nindent 2 }}
- name: http
containerPort: {{ .Values.ricxapp.service.http.containerPort }}
protocol: TCP
- - name: rmrRoute
+ - name: rmrroute
containerPort: {{ .Values.ricxapp.service.rmr.route.port }}
protocol: TCP
- - name: rmrData
+ - name: rmrdata
containerPort: {{ .Values.ricxapp.service.rmr.data.port }}
protocol: TCP
volumeMounts:
envFrom:
- configMapRef:
name: {{ include "ricxapp.configmapname" . }}-appenv
+ {{- if .Values.ricxapp.livenessProbe }}
livenessProbe:
- httpGet:
- path: {{ .Values.ricxapp.probes.healthAliveCheckEndpoint }}
- port: {{ .Values.ricxapp.service.http.containerPort }}
- initialDelaySeconds: 5
- periodSeconds: 15
+ {{- .Values.ricxapp.livenessProbe | nindent 12 -}}
+ {{ end }}
+ {{- if .Values.ricxapp.readinessProbe }}
readinessProbe:
- httpGet:
- path: {{ .Values.ricxapp.probes.healthReadyCheckEndpoint }}
- port: {{ .Values.ricxapp.service.http.containerPort }}
- initialDelaySeconds: 5
- periodSeconds: 15
+ {{- .Values.ricxapp.readinessProbe | nindent 12 -}}
+ {{ end }}
restartPolicy: Always
volumes:
- name: config-volume
type: ClusterIP
ports:
- port: {{ .Values.ricxapp.service.rmr.data.port }}
- targetPort: rmrData
+ targetPort: rmrdata
protocol: TCP
- name: rmrData
+ name: rmrdata
- port: {{ .Values.ricxapp.service.rmr.route.port }}
- targetPort: rmrRoute
+ targetPort: rmrroute
protocol: TCP
- name: rmrRoute
+ name: rmrroute
selector:
app: {{ include "ricxapp.namespace" . }}-{{ include "ricxapp.name" . }}
release: {{ .Release.Name }}
data:
port: 4560
- probes:
- healthAliveCheckEndpoint: ric/v1/health/alive
- healthReadyCheckEndpoint: ric/v1/health/ready
+ livenessProbe: |-
+ httpGet:
+ path: ric/v1/health/alive
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 15
+
+ readinessProbe: |-
+ httpGet:
+ path: ric/v1/health/ready
+ port: 8080
+ initialDelaySeconds: 5
+ periodSeconds: 15
+
appconfig:
path: /opt/ric/config